Our smartphones are the key to our digital lives, overflowing with a wealth of personal data that shady apps might attempt to collect. Google is expanding a partnership to help Android users make more informed choices when downloading apps. The effort begins with VPN apps, which will soon bear a special badge if they've been audited and found safe and trustworthy. Even this isn't a guarantee, though.
Google began working with the App Defense Alliance (ADA) in 2019, and the partnership was expanded last year to include the Mobile App Security Assessment (MASA). This audit ensures that an app adheres to basic security practices and isn't doing anything obviously malicious.
According to Google's Nataliya Stanetsky, VPN apps are the first category to get recognition in the Google Play Store for passing the MASA review. When searching for VPNs, the Play Store will soon show users a banner notification explaining the meaning of the review badge. It'll be shown in the data safety section of the listing, listed as "Independent security review."
VPNs are the first type of app to get this treatment because they handle a great deal of personal data. When you connect to a VPN, you're routing all your web traffic through the provider's servers. That gives the operator a chance to snoop on everything you're doing, which some sketchy VPNs (particularly free ones) have used to great effect. For example, Facebook's Onavo VPN helped the company learn about the apps and services people were using, which led to its acquisition of WhatsApp. Facebook shut down that app in 2019.
Google added a full data safety header to Play Store listings last year, but developers fill them out on their own, and no one checks to make sure they're telling the truth. The MASA analysis is not particularly deep, so the badge doesn't mean an Android app is incapable of nefarious activity. The assessment scans for poor safety practices like writing sensitive data to log files and reuse of cryptographic keys. It may miss factors that make apps unsafe, but this is the best we've got. Some independent testing is better than none.
Understandably, Google would want to start the MASA rollout with VPN apps, given how much data they can collect. Google says big names like NordVPN, Google One, and ExpressVPN have already done the optional audit. It expects more developers will undergo testing to get that badge, but you should only route your data through services you trust. The security review badge is just one signal to consider.
